3rd party authentication_backend

[cornelinux]

Description

I would like to use Authelia with 2nd factors managed in privacyidea allowing an organizsation to manage their 2nd factors centrally and use these for all login scenrios.

I was not sure, if I should comment on #2784 or #3069, but decided to open a new FR.

Since the config allows to define the authentication_backend :

authentication_backend:
  ldap:
        <ldap sepcific config>

I think from a config standpoint and update resistance it should be possible to "configure" other authentication backends.
So I was wondering if there is or can be a way to add custom authentication backends.

Use Case

An organizsation uses 2nd factors at VPN via RADIUS, at Windows Login, at Linux Login via the PAM stack and othe locations. The 2nf factors are centrally managed within privacyIDEA. (or name any other MFA management system).

The organization is also using Authelia for some Webpages, that do not allow authentication via SAML or OpenID Connect making it difficult to add a 2nd factor. So such web application (aka WebAppX) is located behind Authelia. Within Authelia a 2nd factor is managed.

The problem is that admins now need to manage 2nd factors in two places. In Authelia for access to WebAppX and in privacyIDEA for authentication at the VPN, at Windows clients, at Linux clients and all other locations.

The idea is to allow the managemen of all 2nd factors in one place and connect Authelia to this authentication system.

Details

I would like the description of how to add a new authentication_backend to authelia including

• Which API it needs to provide
• where it needs to be located in the filesystem
• how it needs to be registered and loaded

It could then be configured like:

authentication_backend:
 my_funky_backend:
    individual_optionA: ....
    individual_optionB: ...

The possibility to add such backend would be enough - no need to implement such backend.

Documentation

In regards to privacyIDEA such backend would call the validate/check endpoint.
https://privacyidea.readthedocs.io/en/latest/modules/api/validate.html#post--validate-check

It could be simply configured like all other plugins:

authenitcation_backend:
    privacyidea:
        url: https://privacyidea.example.com/instance1
        verify_ssl: true
        realm: admins        

Pre-Submission Checklist

• I agree to follow the Code of Conduct

• I have checked for related issues and checked the documentation

[glime-ai]

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

---

Currently, Authelia supports two primary methods for first-factor authentication: LDAP and file-based (YAML) storage, as detailed in the configuration documentation. For second-factor authentication, Authelia supports methods like TOTP, WebAuthn, and Duo.

Regarding the integration of a custom authentication backend like privacyIDEA for managing second factors, Authelia does not natively support custom authentication backends out of the box. The configuration and system design of Authelia are built around predefined authentication methods, primarily focusing on LDAP and file-based systems for the first factor and the mentioned methods for the second factor.

To integrate privacyIDEA or any other custom authentication system, significant modifications to Authelia's source code would be required. This would involve:

1. Understanding Authelia's plugin architecture and how authentication modules are loaded and managed.
2. Developing a custom module that can interface with the privacyIDEA API, handling the specific endpoints and responses.
3. Ensuring that this module can be configured through Authelia's YAML configuration files, similar to existing authentication backends.

This kind of development would require deep knowledge of Authelia's codebase and possibly contributing to the project directly if you intend for this to be a reusable feature for others. You might consider opening a feature request on Authelia's GitHub repository or checking if there are existing requests for such functionality.

For direct integration without modifying Authelia, you might consider using privacyIDEA to manage all second factors and then using a standard protocol like SAML or OpenID Connect, which Authelia supports as an identity provider, to handle authentication requests. This setup would allow you to centralize second-factor management in privacyIDEA while leveraging Authelia for web application access control.

This comment was generated by Glime.

[cornelinux]

Interesting. When I read the documentation my understanding is that Authelia does not act as a relying party but as a provider.
https://www.authelia.com/integration/openid-connect/introduction/
If Authelia was able to act as a relying party then we could redirect to another SSO IdP that supports privacyIDEA.
But since this is not the case, my search continues.